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ABSTRACT 

The interleaving semantics is not compatible with both ac- 
tion refinement and durational actions. Since many true 
concurrency semantics are congruent w.r.t. action refine- 



ment, notably the causality and the maximality ones Cos93 
|Gla90| , this has challenged us to study the dense time be- 
havior - where the actions are of arbitrary fixed duration - 
within the causality semantics of Da Costa Cos93| . 



We extend the causal transition systems with the clocks and 
the timed constraints, and thus we obtain an over class of 
timed automata where the actions need not to be atomic. 
We define a real time extension of the formal description 
technique CSP, called duration-CSP, by attributing the du- 
ration to actions. We give the operational timed causal 
semantics of duration-CSP as well as its denotational se- 
mantics over the class of timed causal transition systems. 
Afterwards, we prove that the two semantics are equivalent. 
Finally we extend the duration-CSP language with a refine- 
ment operator p - that allows to replace an action with a 
process - and prove that it preserves the timed causal bisim- 
ulation. 
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1. INTRODUCTION 

Many complex systems such as communication protocols, 
networks and embedded systems require a top down design 
where processes are modeled at different levels of abstrac- 
tion. To carry on, at every level of abstraction, each action 
might be replaced by a more complicated process. This is 
known as the concept of action refinement 



CS93 SpC94 



FMCW02 KK09 . It turns out that the actions are no 
longer atomic: they are divisible into small parts. On the 
other hand, many industrial systems exhibit quantitative be- 
haviour, including timing and minimal performance. As a 



consequence, many real time extensions have been suggested 
for process algebra |MT90[ |LL97[ |BCAM00[ |Yi9l"] . How- 
ever, the common point of all these extensions is that they 
are based on the action atomicity hypothesis. It was pointed 
out [Gla90| |Cos93| |Sai96| that the non atomicity of actions 
as well as the action refinement require a truth concurrency 
semantics instead of the interleaving semantics. 

In this paper we suggest an approach that integrates both 
the timed constraints and durational actions without replac- 
ing the action with the two atomics events: its starting and 
finishing ones, which leads to a huge combinatorial explo- 
sion. Our approach consists in using a truth concurrency 
semantics called the timed causal semantics which extends 
the causality semantics of Cos93 . We extend the formal 



description technique CSP with both durational actions and 
timed constraints. Afterwards we describe its semantics by 
means of the timed causal semantics. To convince the reader 
that the interleaving semantics can not be used to deal with 
the durational actions, let us consider the two processes 
P — a; b; stop + b; a; stop and Q = a; stop \\\ b;stop. The 
process P expresses a choice between a followed by b and b 
followed by a. The process Q expresses a parallel execution 
of a and b. Note that, if we consider that duration(a) = 
and duration(b) = 0, then the two processes describe, in 
some sense, the same behavior. However, if we consider 
that duration(a) > and duration(b) > then the exe- 
cution of P requires at least an amount of times equals to 
duration(a) + duration(b) , and the execution of Q may be 
done in max{ duration(a), duration(b) }. 

In a next step we extend the causal transition systems of 
[Cos93| with clocks and timed constraints in the same spirit 
of the timed automata AD94 . We shall call this model the 



timed causal transition system. We recall that the causal 
transition system formalism enriches the usual transition 
system one with the notion of causality. As a consequence 
the timed causal transition system formalism allows to ex- 
press the timed constraints over the actions of arbitrary du- 
ration without the need of replacing each action by its start- 
ing and finishing event. As an application we show how to 
generate a timed causal transition system out of a duration- 
CSP process, and prove the correctness of this generation. 

The paper is organized as follows. Section[2]recalls the rudi- 
ments of the causality semantics as given in [Cos93| . In sec- 
tion [3] the definition of the causal transition system formal- 
ism and its timed extension are given. In section|4]we extend 



the kernel of CSP with action duration and timed constraints 
and we give its timed causal operational semantics. In sec- 
tion [5] we give the denotational semantics of duration-CSP 
in terms of the timed causal transition system model. This 
section is concluded by a proof that the two semantics are 
equivalent, Theorem [l] In section [7] we enrich the language 
duration-CSP with the refinement operator p that allows to 
replace an action with a more complicated process. The new 
language is called duration — CSP P , afterwards, we give the 
timed causal semantics of this language, notably, the seman- 
tics of the refinement operator. Finally we prove that the 
refinement operator preserves the timed causal bisimulation, 
Theorem H 

In section [8] some current and future works are given. The 
proofs are given in the Appendix. 

2. CAUSALITY SEMANTICS 

In this section we recall, through simple examples, the prin- 
ciples of the causality semantics as defined in [Cos93 . The 
aim of the causality semantics is to distinguish between the 
sequential and the parallel execution. To be more precise, a 
parallel execution of two actions can not be substituted by 
their interleaved execution. To this goal, a transition from 
state Si to S2 has the form si ^— » S2; it is equipped with an 
extra data: (i) the event x which identifies the beginning of 
the execution of the action a, and (ii) the (finite) set E of 
events which corresponds to the set of causes of the action 
a, i.e. the action a is possible if all the causes belonging 
to E terminate. For example let us consider the two pro- 
cesses P and Q defined by: P = a;b; stop + b; a; stop and 
Q — a; stop \\\ b; stop. We recall that " ; " is the prefixing 
operator, " is the parallel composition , and " + " is the 
choice operator. At the beginning, the execution of both P 
and Q does not depend on any event, therefore the initial 
configuration associated to P (resp. Q) is of the form $[P] 
(resp. a[Q]). By applying the causality semantics to the 
configuration [P] the following derivations are possible: 

<d[P]^ {*} [6; stop] { y } [stop] 

The event x (resp. y) corresponds to the beginning of the 
execution of the action a (resp. b) . According to the seman- 
tics of the prefix operator " ; " , the execution of the action 
b depends on the termination of the action a. Again, by 
applying the causality semantics to the configuration $\Q\, 
the following derivations are possible: 

[<?] ^ { x } [stop] 1 1 1 [6; stop] ^% {x} [stop] HI {y} [stop] 

As before, the event x (resp. y) corresponds to the begin- 
ning of the execution of the action a (resp. b). The main 
difference is that both the actions a and b does not depend 
on each other. 

The Figure [2T] shows all the possible derivations which can 
be obtained by applying the causality semantics to P and 
Q. This gives rise to the notion of causal transition systems 
which will be formalized in the next section. 

3. TIMED CAUSAL TRANSITION SYSTEMS 

In this section we formalize the notion of causal transi- 
tion systems. Afterwards, we enrich them with clocks and 



P = a;b; stop + b; a; stop Q — a; stop 1 1 1 6; stop 




Figure 2.1: Causal transistion systems of the pro- 
cesses P and Q. 

timed constraints in order to specify the timed behaviour. 
Throughout this paper we let £ be a countable set of events, 
ranged by x,y, z . . . . Let C be a countable set of actions, 
ranged by a, b, c, ... . If a £ C then we denote by d(a) the 
duration of the action a, where d(a) G R + . 

Definition 1. A causal transition system, or a CTS 

for short, over £ is a tuple (S, so, T, I, tp, £, n) where: 

• (S, so, T, I) is a labeled transition system over C, that 
is, S is a finite set of states, so G S is the initial state, 
T C S x S is the set of transitions, and / : T — > C is 
the labeling function of transitions, 

• ip '■ S — ► 2 £ is the function that associates to each 
state a finite set of events, the latter being potentially 
in progress at this state, 

• £ : T — > 2 £ is the function that associates to each 
transition t G T a finite set of events, these events 
denote the direct causes of t, 

• rj : T — > £ is the function that associates to each 
transition t G T the event attached to the occurrence 
of the action l(t), 

such that the following conditions hold: for each transition 
(s, s') G T we have that 

i. r](s,s') G il>{s'), 

ii. as,s')n(iP(s')~ V (s,s')) = ®, 

iii. <(s, s') C ip(s) and tp(s') - CO, »') C ip(s). 

In the next a transition t will be denoted by si ^—^ S2, i.e. 
l(t) = a, ((t) = E, and r/(t) = x. 



7? = a{4} ; e 100 b; stop 
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= d(a) + 100? 



Fig 3.1: The timed-CTS of R 



The key idea. Now, 
we add to the CTS the 
notions of clocks and timed 
constraints in order to be 
able to specify the quan- 
titative behaviour over du- 
rational actions. The key 
idea consists in consid- 
ering the events them- 
selves as a sort of local 
clocks. As a consequence, 
the values of the clocks 
give sufficient information 
about the progress of the 
actions, notably about their 
termination. For instance 
consider the timed pro- 
cess R defined by R — a{ 4 }; O 100 b which specifies that the 
action a can occur in the interval [0, 4], and the action b can 
occur after 100 units of time counting from the termination 
of a. The timed CTS corresponding to the process R is de- 
picted in Figure 3.1. In order to avoid any confusion, we 
denote the clock associated to the event x by c x and not x. 
The semantics of the timed-CTS is close to that of the timed 
automata. The construction of the timed-CTS out of a of 
duration-CSP process is given in Section [5] 
The definition of the timed-CTS follows. 



Definition 2. A timed causal transition system, or a 
timed-CTS for short, is a tuple (S, T, so, I, tp, (, 7], Clk, $, A) 
where (S, So, T, I, ip, £, rf) is a causal transition system (see 
Dcf. [TJ and 

• Clk — {c} x £ is the set of clocks, that is, to each 
event x £ £ we associate a clock c x , 

• $ is a function that associates to each transition t £ T 
a timed constraint, and 

• A : T — > 2 cik is a function that associates to each 
transition the set of clocks which have to be reset to 
zero once this transition is executed. 



In the next, a transition f of a timed-CTS will be denoted 
simply by si ^ e< jL^' a ^ S2] that is, &(t) = ip and A(t) = A. 
The set of timed constraints will be denoted by 2 V . The 
syntax of the timed constraints is given by the following 
grammar: 



ip ::= tp A ip \ ip V <p \ 



-< c c~< c x 



{<,<} 



where c x is a clock, and c £ R + is positive real constant. 
The timed-CTS inherits the semantics of both timed au- 

The 



AD94| , and causal transition systems Cos93 



tomata 

semantics of a timed-CTS is defined by means of a tran- 
sition system over a set of configurations, each configura- 
tion consists of (i) the current state, (ii) the current values 
of clocks, and (Hi) the actions which are (potentially) in 
progress. There are two kinds of transitions between config- 
urations. The timed-CTS may either delay for an amount of 
time in the same configuration (delay transition), or follow 
an edge (action transition). 



We use functions called clock assignments, a mapping from 
Clk to R + . Let v denote such function, and O denote the 
clock assignment that maps all c x £ Clk to 0. For d £ R + , 
let v + d denote the clock assignment that maps all c x £ Clk 
to v(cx) + d. For A C Clk, let [A h-» 0]^ denote the clock 
assignment that maps all clocks in A to and coincide with 
v for the clocks in Clk \ A. 



The semantics of a timed-CTS is a transition system whose 
configurations are pairs {s,v), the starting configuration is 
(so, ©}, and the transitions are given by the rules: 



(s,v) -A (s,v + d), ford£K+, 

(s, v) (s' ,v') if s E< !2Li^' A s ' anc j moreover: (i) v 
satisfies the constraint <p, (ii) v' = [A h-> 0]v, and (iii) 
all the actions related to the events E have terminated. 



4. DURATION-CSP AND ITS OPERATIONAL 
TIMED CAUSAL SEMANTICS 

Now we introduce the action duration to the formal descrip- 
tion technique CSP |Hoa85| . Due to the lack of space the 
prefixing operator " ~ is denoted by ";" . Moreover, 
we do not distinguish between the internal and the external 
choice. The syntax of duration-CSP is given by the following 
grammar: 

P ::= stop | skip{d} | O d P \ a{d};P | P + Q\ P\[L]\Q | 
P\L | P AQ 

where d £ R+ and L C C. 

The primitive process stop represents the process that com- 
municates nothing, and skip represents successful termina- 
tion i.e. the process skip{d} performs the successful ter- 
mination action 5 in the time interval [0, d] and transforms 
into stop. Let a £ £ be an action and d £ R + . The pro- 
cess a{d};P expresses that the execution of a must be in 
the time interval [0, d], and after the termination of a this 
process behaves like P. The process O d P means that the 
starting of P is possible only after a passage of d units of 
time. "+" is the choice operator. The parallel composition 
P|[Z/]|Q allows computation in P and Q to proceed simul- 
taneously and independently apart on the actions in L on 
which both processes must be synchronized. We shall write 
HI for |[0]|. The hiding operator P\L makes the actions in L 
unobservable. The interruption operator P A Q allows the 
computation to begin in P and to be interrupted by Q. 



Operational semantics of Duration-CSP. 

Now we describe the behaviour of duration-CSP processes 
step by step by means of the operational semantics over the 
timed causal configurations. Before this, we first define the 
timed causal configurations and introduce some standard 
operations on them. The untimed configurations and the 
related operations have been defined in [Cos93] . 



Definition 3. The set C T of timed causal configura- 
tions is defined as follows: 



• for each duration-CSP process P and for each 
E T G 2 £x£xR+ , we have that Br [P] G C T , 

• if V T G C r then Q d V T G C T , for every d g R + , 

• if P T G C T then P T \L e C T , and 

• if TV) Qr G C T then P T ® Q T £ C T , where 
®G{+, \[L]\ , A}. 



For instance, the configuration { x-.a:t x } [P] means that the 
execution of the process P depends on the termination of 
the action a which is identified by the event x, moreover, 
t x counts the time elapsed from the beginning of a. We say 
that a timed causal configuration is in the canonical form 
if it can not be simplified by distributing the set of events 
over the algebraic operators. For instance, the configuration 
e t [a; stop + b; stop] is not in the canonical form because it 
can be reduced to the configuration e t [a; stop] +e t [b; stop], 
the latter being in the canonical form. 



The timed transition over the timed causal configurations, 
denoted by ~» C C T x Act T x C T where Act T = (2 £x£xR+ x 
C x S) U R + , is defined as follows: 



0. Stop process: 



I. Skip process: 



-<Finish(E T ) 



e t [stop] ~> E T +d[stop] 



(I.; 



Finish(E T ) 



e t [skip{ u }] 



r:S:0}[stOp] 



Finish(E T ) 
3 T [skip{ d + d! }] ~* e t [skip{ d }] 



Lemma 1. Every canonical timed causal configuration in 
Z T has one of the following forms: 



e t [stop] Et [skip{ d}] 9 V T e t [a{ d } ; P] 

Vr + Qr Vr\[L]\Q T P T \L Vr A Q T 

where P T and Q T are in the canonical form. 

Next we assume that all the configurations are in the canon- 
ical form. 



II. Prefix operator: 



(ILa) 
(ILr) 



Finish(E r ) 
Er [a{u};P] E -U x {x:a:0 }[P] 

Finish(E T ) 



x = get(£) 



E Aa{d + d'};P]^ e t [a{d};P] 



Definition 4- The function ip 



that de- 



termines the events of a given configuration is defined by: 
i>( Br [stop]) = [skip{ d}])=^{ ET [a{d};P]) = E T 

UVr + Qr) = i>{V T \[L]\Q T ) = iP{V T A Q T ) = 1>(P r ) u i>{Q T ) 



Definition 5. Let TZ T G C T and x,y G £, the substitution 
of x by y in 1Z T , denoted by lZ T [y/x], is defined by induction 
on TZ T as follows: 



k [stop])[y/x 
( ET [skip{d}])[y/x 



( E Aa{d};P])[y/x] 
(V T + Q T )[y/x] 
(Vr\L) 
{Vr\[L]\Q r )[y/x] 
(Vr A Q r )[y/x] 



Erly/x) [Stop] 

Brlv/x) [skip{d}] 
(@ d V T )[y/x] = Q d (V T [y/x]) 

E T [y/x] [a{d};P] 
V T [y/x] + Q T [y/x] 

V T [y/x]\L 

V T [y/x]\[L]\Q T [y/x] 
V T [y/x]AQ T [y/x] 



where E T [y/x] is again the obvious substitution over the set 
of events. 



Let E T G 2 £xCxR+ , we say that all the actions in E T have 
finished and write Finish(E T ) , if for all x : a : t x G E T we 
have that t x > d(a). Let get : 2 £ — > £ be a function satisfy- 
ing get(E) G E, V£ G 2 £ -{ }. 



III. Choice operator: 



(IILa) 



T> E ^ a * Til 
Vt ~» V T 



Vr + Qr V' T 



(IILr; 



Qr + Vr ^ V'r 



Qr^Q'r 



Vr + Qr^V T + Q'r 



IV. Parallel composition operator: 



(IV.r) 
(IV.a) 
(IV.b) 



Vr ^V'r Qr^ Q'r 

Vr\[L]\Qr^V'r\[L]\Q' T 

V T E ^V'r ajL\j{8} 
Vr\[L]\Q T E ^ V V T [y/x]][L]\Qr 



Vr 



V'r a £ L U { 8 } 



Qr\[L]\Vr E ^ V Qr[[L]\V T [y/x] 



where in the last two rules we have 

V = get[£ - ((V>(Q' T ) - {>}) U i>(V T ))). To avoid any 
confusion with the definition of ijj given in Definition]!] here 
we consider that ip : C r — > 2 £ but we still use the same 
symbol, the type of tjj is clarified by the context. 



Vr^V'r Qr^Q'r G L U { 5 } 



(IV.c) 



Vr | [L] | Qr ' V'r[z/x]\[L]\Q' T [z/y_ 

get(e ~ [&(V) - { x }) u (V(Q') - {»}) 



V. Hide operator: 



(V.a) 



V T E ^ V' T a<£L 
V T \L E z%° T' T \L 



(V.r) 



P T \L E 4*V T \L 



V T <*V' T 



V T \L-^P' T \L 



VI. Interruption operator 

(Vl.a) 



Pr ~» P T 



P T AQ T E C V V' T \ylx\ AQ T 



y = get(E-[^{V' T )-{x})\Ji>(Q T )}) 



(Vl.b) 



p^ 



p; 



(VI.c) 



Qr 



P T A Q T E C Q' T 



5. A DENOTATIONAL SEMANTICS 

In this section we describe how to generate a timed-CTS 
(see Definition |5| from a duration-CSP specification. To 
this goal, we shall define the timed causal transition relation 
— ► C C x trs x C, where C is defined exactly as the set 
of the timed configurations C T given in Definition [3j apart 
that E T e 2 £xC instead of E T £ 2 £x£xR+ and hence E T will 



SxC 



X 



be denoted by E; and the timed transition trs 6 (2 
Cx £) x 2 V x 2 cik . We recall that 2 V is the set of timed 
constraints. 



1. Skip process 

(l.o) 



r , • r n <0 5 *' 0<c x <u, c x > 
[sfcjp{M}J ► { a! :«}[stopJ 



(1.6) 



E [skip{u\\ > { X :S}[stop\ 



x — get(£) 



x — get(£) 



2. Prefix operator: 



(VLr 



Pr j*V± Qr j> Qr 



(2.o) 



x = get(£) 



®[a{u};P] ' —4 " { x:a }[P] 



VII. Delay operator: 

(VII.t) 



Qd+d"p T Sj, Qd-p T 



(VII.T 



e°p T V' r 



(VILa) 



Pt Pt 

e°p T E ^ v r 



VIII. Passage of time: 

-iFinish(E T ) and Ve < e < d ->Finish(E T + e) 
Bt [P]^ BT+d [P] 

Definition 6. Let P. T S C r , the passage of d units of time 
over P. T , denoted by P T + d, is defined by induction on P T 
as follows: 

E T [P]+d= ET+d [P] 
(Pr + Qr)+d= (P T + rf) + (Qr + d) 
(P T \ L) + d = (P T +d)\L 
(Pr | [L] | Or) + d = (Pr + d) | [L] | ( Qr + d) 
(Pr A Q T ) + d = (P T + d) A (Q T + d) 



where 



i + d =0, 
(a; : a : t x ) + d = x : a : t x + d, 

(E T U{x:a:t x }) + d = (E T + d) U { (as : a : t x ) + d}. 



Definition 7. Given a duration-CSP process P, the oper- 
ational semantics of P over the class of the timed causal 
configurations C r , denoted by P op , consists in associating 
to P the set of timed causal configurations generated by the 
relation ~» £ C T x Act T x C T , starting from the configuration 



(2.6) 



E [a{u};P] > {x:a}[P] 



x = get(£) 



3. Choice operator 

(3.a 



_ (trs) _, 



P + Q ^ 7" 



(3.6) 



Q Q' 
P + S ^ Q' 



4. Parallel composition operator: 



(4a) 



P <Ba ^' A> P' a(£Lu{5} 



V\[L]\Q iEayMc ^' X[cM V'[y/x]\[L]\Q 



V = get(e-(MP , )-{x})Ul>(Qj)) 



(4.6) 



P|[i]|Q — > P |[£]| Q'b/a:] 



y = get(£ - ((i>(Q') - {x})Ui>(V))) 



(4c; 



P|[i]| Q^ u *-^ ' '7"[z/!t] |[L]| Q'[ 2 /y] 

z = get(e - [(V(P) - { x }) U (V(Q') - { 2/ })]) 
= ¥3i[c z /cJ A ^[c^/cj,] 
T = Xi[c z /c x ] U A 2 [c z /c H ] 

5. Hide operator: 

< E ^.A) p , p^'V a £ L 

(M /„„ ( 5 - 6 ) 



V \ L {Ea J^ A) V > \ L 



V \ L {E ^ X) V > \ L 



6. Interruption operator: 



P'^P a + S 



(6., 



y = get(£-((iP(V')-{x})UrP(Q))) 



(6.6) 



(6.c) 



p A Q <^' A> q/ 



7. Delay operator: 



P 



A) 



P' 



The substitutions (p\c z /c x \ and A[c z /cx] as well as the union 
Ai U A2 are defined in the most obvious way. Now we define 
the function T- u . Intuitively, the timed constraint J-- u (E) 
of a given transition t expresses that all the actions in E 
must terminate and the transition t can happen in the time 
interval [0, it] counting from the termination moment of the 
last finished action(s) of E, i.e. : 



T- U {E) 



f\ (d(a) < Cx )a \/ (c x < d(a) + it) 



x:a ££ 



x:a G-E 



(i) 



Definition 8. The delay function <p + d is defined by in- 
duction on ip as follows: 

(fi A (p 2 ) + d = (951 + d) A (ip 2 + d) 
(ipi Wip 2 ) + d= ((^1 + d) V (ip 2 + d) 

(a < c x ) + d = a + d < c x 

(c x <P) + d = c x <P + d 

Remark 1. By construction (i.e. by the construction of 
the timed constraints in the rules (l.o), (1.6), (2. a), (2.6), 
(4.c), and 7), the timed constraints have the following form: 

tp = <f>\ A • • • A 4> n 

4>i= f\ {a < Cx) A \J (c x < P) where 

x:a £E x:a £E 

a, p G R + and a < p. 



We state one of the most properties of the function J r - U (,)- 
d: 



Lemma 2. Let si B T — [^^ +d ' Cx S2 a timed tran- 
sition of a given timed-CTS. The action 6 is enabled in the 
timed interval [r + d, r + d + u] where r g R + is the time 
stamp of the termination of the last finished action(s) in E. 



Definition 9. Given a duration-CSP process P, the deno- 
tational semantics of P over the class of timed-CTS, denoted 



by [PJ, consists in associating to P the timed-CTS which is 
generated by the transition relation — > £ C x Act x C given 
in Section [5j starting from the configuration q[P]. 



Equivalence of the operational and denotational se- 
mantics. 

We arrive at the final point of this section: we prove that 
the two semantics are equivalent. The notion of equivalence 
is formalized through the notion of r-bisimulation. 
Let / : A — > B and let A' C A and B' C B. The 
parametrized restrictions of / w.r.t. its domain and co- 
domain are defined respectively as follows: 

/xi(A') := { (a, b) I a G A' } and U 2 (b>) ■= { {a, b) \ b G B' } 



Definition 10. A r-bisimulation linking the states of a 
timed-CTS and the timed causal configurations of C T is 
a binary relation 91 that comes with an events' bijection 
/:£—>£, and satisfying the following conditions: 



1.1. if (s, v) (s',u') then there exists P T F ^* v V' T such 
that 

i. z : b G E if and only if f(z) : b : t G F T , for some 
t G M + , and 

ii. {(s',u'),Vr)f G % where 

/' := {fn 1 (4,(s>)- x ))TT 2 (i>(V! r )-y) U{(ic, y)}. 

1.2. if (s,u) -A (s,v') then P T V' T and {{s,v'),V' T )f G 



2.1. if P T F -^ M P^. then there exists (s,f) i s \ v ') such 
that 

i. z : 6 G -E if and only if /(z) : b : t £ F T , for some 
t G R + , and 

ii. ((s',v'),T' T )f G «R where 

2.2. if V T & V' T then (s,v) -A {s,v') and {{s,v'),V' T ) f > G 
91 



A timed-CTS and a set of timed causal configuration are 
r-bisimilar iff there exists a r-bisimulation containing their 
initial configurations. 



Theorem 1. The operational and the denotational seman- 
tics (.) op and [.] are equivalent, i.e. for each duration- 
CSP process P there exists a r-bisimulation 9t such that 
([P], P op ) G £H. 

6. SIMPLE CASE STUDY 

As a simple application we illustrate the use of duration- 
CSP thr ough a simplified version of the Tick-Tock protocol 
|LLD94| , the latter has been used for the assessment of timed 
formal description techniques. 



The tick-Tock case contains three entities called sender, re- 
ceiver and service, see Figure [67T] Moreover, service inter- 
acts with sender and receiver through their SAPs Ss-SAP 
and Sr-SAP, respectively. In the sequel we restrict ourselves 
to the specification of the service. The description of the 
service is as follows, service transmits data from sender 
to receiver. The exchanges are performed thought the cor- 
responding SAPs in an atomic way and carried out a data 
called the cell. Service must satisfies the following require- 
ments: 



Sender 




Receiver 


ry 

1 Ss-SAP 1 




ry 

t Sr-SAP 1 


Service 



Figure 6.1: The protocol. 



Frequency. A cell form sender is only accepted from ser- 
vice at precise, punctual instants within a period of -k units 
of time. 

Transmission delay. Service provides a cell to receiver 
between T m i n and T ma x units of time after its emission. 
Spacing between deliveries. There is a delay of at least 
S units of times between two consecutive offers of cells at 
Sr-SAP. 

Immediate acceptance. A cell offered by service to re- 
ceiver must be immediately accepted by receiver, otherwise 
the service loses the cell immediately. 

Loss free transmission. No cell is lost during its trans- 
mission through service. 

6.1 Specification of service with duration-CSP 

The specification of service is given in such a way each timed 
requirement is given as a duration-CSP process. 

It is composed of three processes: Frequency, Medium and 
ImmAccept. 

Frequency. The frequency behaviour of service is: 
process Frequency [Ss-SAP] : = 

Ss-SAP{0}; 9" Frequency [Ss-SAP] + Frequency [Ss-SAP] 
endproc 

Medium. The Medium must satisfy both the transmission 
delay and spacing between deliveries requirements : 
process Medium [Ss-SAP, Del] : = 

(Ss-SAP; TRANS; Del; Stop I I I Medium [Ss-SAP, Del] ) 
I [Del] I 

Del; 9 A Medium [Ss-SAP, Del] 
endproc 



Immediate acceptance. This requirement is specified as 
follows: 

process ImmAccept [Del, Sr-SAP] := Del; 
( Sr-SAP{0}; ImmAccept [Del, Sr-SAP] ) + 
ImmAccept [Del , Sr-SAP] endproc 

Service. The three above processes have to synchronize on 
the internal action Del. Since Del is an internal action, it 
must be hidden. The behaviour of teh process Service is as 
follows: 



process Service [Ss-Sap] : = 
(Frequency [Ss-SAP] I [Ss-SAP] I 

( Medium [Ss-SAP, Del] I [Del] I ImmAccept [Del, Sr-SAP] ) 
) UDel} 
endproc 



We note that all the actions are atomic apart the action 
TRANS we denotes the transmission delay. Therefore the du- 
ration of TRANS should belong to the interval [r m i„, T max \. 
As a matter of fact it is not hard to change the semantics of 
language by considering the actions to be of a variable du- 
ration instead of a fixed one. Finally we point out that one 
of the interesting features of duration-CSP - with its timed 
causal semantics- is that it allows the refinement of a given 
action, notably the action TRANS in this example, into a more 
complicated process which allows an incremental design of 
the system. The refinement operator as well as its semantics 
and properties are discussed in the following section. 

7. ACTION REFINEMENT IN DURATION- 
CSP 

One of the interesting steps during the hierarchical design of 
complex systems is the refinement of an action a into a pro- 
cess. As a matter of fact, one can associate to each specifica- 
tion a level of abstraction basing on the details of the actions 
with compose the specification. For instance, given a spec- 
ification E of abstraction level N, the refinement p(a, P, E) 
of an action a by a process P in the specification E means 
that when passing from the abstraction level N to N + 1 
the refinement operator will exhibits the internal structure 
of the action a, that is, a would be replaced by the process 
P at the level N + 1. There have been many earlier works to 
curry on action refinement in process algebra, let us mention 
[CS93| |Spa)4l |FMC W02[ |KK09] . 

In this section we enrich the language duration-CSP with the 
refinement operator p. The new language is called duration— 
CSPp, afterwards, we give the timed causal semantics of this 
language, notably, the semantics of the refinement operator. 
Finally we prove that the refinement operator preserves the 
timed causal bisimulation. 

The syntax of duration-CSPp is given as follows: 

• if P is a duration-CSP process then P is again a duration- 
CSPp process, 

• if a is an action, P is a duration-CSP process and Q is 
a duration-CSPp process, then p(a, P, Q) is a duration- 
CSPp process. 



In order to define the timed causal semantics of the refine- 
ment operator p, we introduce a new kind of operator on 
the timed causal configurations C T , called partial sequenc- 
ing operator and denoted by ^> x . Intuitively, the semantics 
of V T ^$> x Qt means that all the actions of Q T which do not 
depend on the termination of the event x are in concurrence 
with the actions of P T , however the execution of the remain- 
ing actions of Q T must wait for the successful termination 
of V T - Besides the distributivity of the event names over 
the basic duration-CSP operators, we assume that the event 
names distribute over the refinement operator, i.e. for every 
E T G 2 £x£xR+ and every process p(a,P,Q), 

E T [p{a,P,Q)]=p{a,P, ET [Q]) 

Again we can extend Lemma [I] to obtain: 

Lemma 3. Every canonical timed causal configuration has 
one of the following forms: 

eM°P\ sAskip{d}] Q d V T E T [a{d};P] P T + Q T 
V T \[L]\Q T V T \L V T A Q t p(a,P,Q T ) V T »" Q T 

where V T and Q T are in the canonical form. 



The function ip : C T -> 2 £x£xE that determines the set 
of events of a given timed configuration of duration-CSPp is 
the same as that of Definition [4] extended with the following 
rules: 



i>{v > x q) = i>(v) u (v>(S) 

V>(p(a I P,Q)) = V(S) 



{*}) 



7.1 Operational semantics of duration-CSP p 

This subsection introduce the operational semantics of duration- 
CSPp in the same way as we have done with duration-CSP. 



Definition 11. The timed transition over the timed causal 
configurations of duration-CSPp, denoted again by ~» is the 
relation that satisfies the rules 0,- • ■ ,VIII extended with the 
following rules: 



R.l 



P» r S V'[z/y] Q 



z = get{£ - V(CP') - { y }) U (V(S) - { x })) 



R.2- 



V 



V Q E & Q[z/x] 



z = get{£-{{^Q)-{x})) 



R.3- 



Q E ^ v Q! x4E T 



P» r S ^>» J Q'[z/y] 
z = get{£ - (MV) U (V'(S') - { y }) U { x })) 



R.4- 



Q 



Q' b^a 



p(a,P,Q) p(a,P,Q') 



R.5 



Q 



0! 



[P] 



V 



p(a, P, Q) E & V'[z/y] »- p(a, P, Q>) 

^ct(£-((v»(n-{»})u(v(«2') -{»»)) 



R.t.3 



P> 1 Q-v>?» 1 Q! 



p(a,P,Q)^> p(a,P,Q>) 

The rules R.l, R.2, R.3, R.r.l and R.r.2 define the seman- 
tics of the partial sequencing operator ^> x . That is, the 
rule R.l expresses the fact that the occurrence of any action 
in the configuration V remains possible in the configuration 
P »" Q; however the renaming of the event y is necessary 
because y may be the event of some action which is already 
running in the configuration Q. The rule R.2 expresses the 
case of the successful termination of V ■ Note that the event 
x is renamed with z which identifies the successful termi- 
nation of V . The rule R.3 expresses that the occurrence of 
all the actions of the configuration Q which do not depend 
on the termination of the event x - i.e. on the successful 
termination of the configuration V - can be executed in the 
configuration V ~^> x Q. The rule R.r.l shows that the time 
is allowed only to elapse in the left part of the configuration 
V ^> x Q whenever Q is waiting for the termination of the 
event x. However the rule R.r.2 allows the elapse of time in 
both parts of the configuration V ^$> x Q if Q is not waiting 
for the termination of x. 

The rules R.4, R.5 and R.r.3 give the semantics of the re- 
finement operator p. The rule R.4 shows the case when the 
configuration Q provides an action b which is not subject to 
the refinement; in this case the action b remains possible in 
the configuration p(a, P, Q). The rule R.5 expresses the case 
when the configuration Q provides the action a which has 
to be refined into the process P. Hence the execution of the 
action a must be replaced by the execution of the process P. 
Since the execution of a depends on the termination of all 
the events of E T , then every action of P depends also on the 
termination of the same set of events. Moreover, it is clear 
that all the actions of Q' which depend on the termination of 
a must also depend on the successful termination of e t [P] , 
however the remaining actions are executed in parallel with 
e t [P] ■ This shows the usefulness of the partial sequencing 
operator ^> x in expressing the semantics of the refinement 
operator. 

The following Theorem shows the main property of the re- 
finement operator p; it expresses that the refinement opera- 
tor preserves the timed causal bisimulatiorj^] 

Theorem 2. For every timed configuration P, Q of duration- 
CSPp, for every action a and for every duration-CSP process 
E, if V ~t Q then p(a,E,P)~ T p(a, E, Q) . 



1 Indeed we mean the timed causal bisimulation that links 
the timed configurations and w hich is defined in a routine 
way, see the appendix Definition 1121 



CHR91 Lev04 over the timed causal 



8. CURRENT AND FUTURE WORKS 

At the moment we are looking for a probabilistic exten- 
sion of the timed causal transition systems in the follow- 
ing way: rather than considering that the actions have a 
fixed duration, it is more realistic to attribute to them a 
probabilistic duration that follows a certain distribution, no- 
tably a normal (Gaussian) distribution. Within this model, 
many problems suggest themselves such as the model check- 
ing one. This is an orthogonal formalism w.r.t. the proba- 
bilistic timed automata [JLS07| where the probabilities are 
attributed to the transitions rather than the actions. 

An other work consists in considering the model checking of 
the duration logics 
transition systems. 



Finally we emphasize that it is not useful to encode the 
timed-CTS model into the timed automata one since this 
implies the loss of the notion of true concurrency and gives 
rise to a combinatorial explosion due to the fact of splitting 
each action into two events: the starting and the finishing 
one. The implementation of an environment that integrates 
the timed-CTS model, the duration-CSP language and the 
refinement operator p should not provide any technical dif- 
ficulties. 
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Appendix: proofs of the statements 

Lemma 1. Every canonical timed causal configuration in 
C T has one of the following forms: 

E T [stop] E T [skip{d}] Q d V T E T W{d};P] 

Vr + Qr Pt\[L]\Qt Vr\L V-r A Q T 

where V T and Q T are in the canonical form. 

Proof. We prove by induction that every timed configu- 
ration which is not under one of these forms can be reduced 
by distributing the set of events over the algebraic opera- 
tors. The proof of the same lemma but upon the untimed 
configurations was given in Cos93], however we adapt it to 
the timed configurations. 

If a given timed configuration 1Z' T can be obtained from 1Z T 
by distributing the set of events over the algebraic operators 
then we write 1Z T <-» 1Z' T . We only consider the cases where 
the timed configuration is of the form e t [R] '■ 



Therefore, the constraint $2 states that the action b is en- 
abled in the interval [0, r + d + u]. We conclude that the 
constraint $1 A $2 states that the action 6 is enabled in the 
interval [r + d,r + d + u]. □ 



Theorem 1. The operational and the denotational seman- 
tics (.)° p and [.] are equivalent, i.e. for each duration- 
CSP process P there exists a r-bisimulation 9^ such that 
([P], P op ) G 9\. 

Proof. We construct a binary relation linking the el- 
ements of [P] and P° v , afterward we prove that it is a r- 
bisimulation. First of all we came assume that $R comes with 
the identity function Id : appendix.tex, vl. 202009/10/1719 : 
03 : 59belkhirExp over the set of events, i.e. we do not need 
to rename the events. 
We let 



. R = Q d P: eAR] <-> e| T [P], 

• R = P + Q: e t [R\^ e t [P} + e t [Q}- 

. R = P\[L]\Q: eAR]^ eAP]\[L}\ eAQI 

• R = P\L: eAR]^e t \P]\L, 

• R = PAQ: eAR]^ e t [P] A Er [Q]. 

This ends the proof of Lemma [T] □ 



Lemma 2. Let si e6x ' T — -f +d ' Cx S2 be a timed tran- 
sition of a given timed-CTS. The action b is enabled in the 
timed interval [r + d, r + d + u] where t G R + is the time 
stamp of the termination of the last finished action in E. 

PROOF. Recall first the definition of J 7 - (see Equation 
^ at page[|: 

J^ U {E)= /\ (d(a)< C;c )A V (c, < d(a) + u) 



<R = (9to U SRo) U • • • U (<R„ U 9\ n ) U • 



x:a ££ 



x:a £E 



(2) 



therefore by the definition of + (see Definition [si, we get 



(^ u +d)(E) = 

/\ (d(a) + d < c x ) A \J (c x < d(a) + d + uj 



*i 



On the one hand, the constraint $1 ensures that the action 
b is enabled in the interval [r + d, 00] , where r is the time 
stamp of termination of the last finished action in E. 
On the other hand, the condition $2 states that the action 
b is enabled in the interval [0, r max \ where 

Tmax = Max x:aeE {t x + d + u} = Max x]af z E { T x } + d + v 

where t x is the time stamp of the termination of the action 
a s.t. x : a G E. Hence, 

Tmax = T + d + U 



where 



%={«0[P],o), [P])}u 

{(P,Q T ) s.t. 3deR( [P],O) 
and ,[P]^Q r )} 
SRm+i ={ {V m+ \ QT +1 ) s.t. 3(P m , Q7) G Dim s.t. 
P m ^ V m+1 and 

Qm f or some action a } U 

{{V,Q') s.t. 3d G R s.t. V 



hi -pi 



and Q™ +1 ■£> Q' } 



= {(V m ,*) s.t. (P m ,Q?)e% m 

and 3d G R s.t. P m V' and Q m 7! } U 
{(;Qr) s.t. (V m ,QT) G9U 

and 3d G K s.t. Q m Q' and V m A } 



During the construction of £fti, i = 0, • • • , n, we require that 

the invariants (jSYNCHlj ) and | |SYNCH2[ ) hold. 

The invariant (SYNCH1 i is defined as follows: for each pair 



((JZ,v),lZ T ) G 5H n , the pair (ip(lZ T ),ip(lZ)) is synchronized 
in the following sense: 

2 : b : t z G i>(TZ T ) iff z : b G ip(ll) and t z = v{c z ) 

(SYNCH1) 



To give the definition of the invariant |SYNCH2| we need 
some notations. Let us define the function F(.) that takes 
a timed configuration (in C T or in C) and returns only 
the duration-CSP process by deleting recursively the set of 



events: 



¥( E 4stop}) 
¥( Et [skip{d}]) 
W( Er [a{d};P]) 

w(Q d r T ) 

¥(Vr \ L) 

¥(Vr + Qr) 

¥(V T \[L]\Q T ) 
W(T T A Q T ) 



stop 

skip{ d } 
a{d};P 
9 d F(P T ) 

¥{Vr) \ L 

¥(V T )+¥{Q T ) 

¥(V T )\[L]\¥(Q T ) 

¥(V T )A¥(Q T ) 



We let also, for i G N, to be: 



f{(( [P],O), [P])} ifi = 

{ {n\n r l ) g % s.t. Jin 1 - 1 ,^ 1 - 1 ) g 9ii_i s.t. 
n i-i n i and n ^-i n ^ for some a | 

if i > 1 



The invariant ( SYNCH2 l is given by 



Vi G N,V({Tl\v),lli) G *SHi we have that 

(i) F(7?. 1 ) = ¥(T¥ T ) and (ii) the pair (7?. 1 , 1Z' T ) is synchronized 

(SYNCH2) 



Now we shall prove that 91 is a r-bisimulation. For this 
aim, it is enough to prove that, for each n G N, 9i n U fH„ is 
a r-bisimulation i.e. SH n = 0. The proof is by induction on n. 



Initial step n — 0. i.e. we consider $Ho defined by: 
SRo ={« [P],O), [P])}U 



{(V, Q T ) s.t. 3d G IS 
and [P]^Q r )} 



i[fl.O) 



V 



In this step we shall prove that (i) *Ro = 0, (ii) SHo satisfies 
the invariants ( |SYNCH1|) an d ( |SYNCH2[ ) and (Hi) SRi satis- 
fies the invariant ( |SYNCH2[ ) . The proof now is by structural 
induction on P. 

Case (i). The case P = stop is obvious. 

Case (ii). P — skip{u}. The rule (l.o) of the deno- 
tational semantics ensures that Vd < d < u there is a 
derivation 



( [skip{u}],O) 



[skip{u}],0 + d) 



In the same way, the rule (I.r) of the operational semantics 
allows, for each d G]0, u], the derivation 

$[skip{u}] ■£* q)[skip{u~- d}} 



, therefore 9\qU9\o is a r-bisimulation. 



This shows that £Ro 
Now we show that 9to satisfies the invariants (SYNCHll, 
( |SYNCH2[ ) and % satisfies the invariant ( |SYNCH2||. " 
Note that 9\o satisfies trivially the invariant ( |SYNCH1[ ) be- 
cause ip(0[skip{ u }]) = t/)( [skip{ u — d }]) — 0. Also, 9\o 
satisfies trivially the invariant ( jSYNCH2| ) because *9to = 
{ (( [skip{ u }], O), [sfcip{ it }]) }~ To show that JHi satis- 
fies the invariant ( jSYNCH2| ) we consider *$Ri. The latter is 



obtained first by applying the rule (l.a) of the denotational 
semantics to ( [sfczp], O + d) giving arise to the derivation: 



(tti[skip],<D + d) 



{ {x:S} [stop],(O + d)[x^0]) 



And by applying the rule (La) of the operational seman- 
tics to the configuration [skip{ u — d }] giving arise to the 
derivation: 



[skip{ u - d }] -A { x: s:o} [stop] 

Therefore 

'5Ri = {(({*:«} [stop], (<D + d)[x 



0]) 



i { x:S:0} 



[stop]) } 



Note that £K satisfies the invariant ( SYNCH2 1 because 
(i) ¥( {x:S }[stop]) = ¥( {x . S:0) [stop]) = stop 

and 

(ii) clearly the pair (( { x:S y [stop], (0+d)[c x i-> 0]}, { x] s : o}[stop]) 
is synchronized since the clock c x is reset to zero. 

Case (Hi). The case P = a{ u }; Q is similar to the pre- 
vious one apart that we deal here with the action a instead 
of 8, and with the process Q instead of the process stop. 

Case (iv). The case P = Q + R is straightforward by 
applying the induction hypothesis to Q and R. 

Case (v). P = P 1 \[L]\P 2 . First we show that <R = 0- The 
rule IV. r of the operational semantics implies that that if 



[P 1 j[L]|P 2 ]^ [Px]|[L][P 2 '] 



then 



1,2. 



By applying the induction hypothesis to both Pi and P2 we 
get the possible derivations: 



Hence 



( [P],O) -A ( [P],O + d) i = l,2 



< [Pi|[L]|Pfe],O> (@[Pi\[L]]P 2 ],0 + d) 



This shows that SHo 



Note that Wo satisfies the invari- 



ants ( |SYNCH1[ ) and ( |SYNCH2[ ) (the same arguments used 
in Case (ii) hold). Let us show that % satisfies the invari- 
ant ( |SYNCH2| ). To this goal let a be an action, we consider 
the case when a £ L U {5} and i = 1. The case when 
a ^ LU {5} , i = 2 and the case when a G LU<5 are handled 
similarly. Let i = 1 and assume the derivation: 



)[-Pi] 



{x:a:0}[ 



(3) 



The induction hypothesis shows that the following deriva- 
tion is possible: 

( [Pl],O + d) ^( { «:«}[Ol],O + d[c«H+0]> (4) 

and ensures that ¥({ x:a:0 y[Q'i]) = ¥({ x:a y[Q 1 ]) = Qi. There- 
fore by applying the rule (I.V.a) of the operational semantics 
and considering the derivation (|3| above we get the deriva- 
tion: 

\[L]\ [ft] ^ {x :a: 0} [Ql]\[L]\,[P2] 



Also by applying the rule (4. a) of the denotational semantics 
and considering the rule Q above we get the derivation: 

( [Pr | [L] |P 2 ], O + d) ^ ( { x:a } [Qi] | [L] | [ft] , O + d[ C:c ^ 0]) 
Thus 

•«1 ={«{■:„} [Ql] I W I [ft] , O + d[c x -> 0]> , 
{ *:a:0}[Ql] IWI 

and it is easy to check that 9\i satisfies the invariant ( |SYNCH2 1 



Case (vi). The cases of the hide operator (rules (V.a) 
and (V.b) ) and of the interruption operator (rules (VI. a), 
(VI. b) and (VI. c) ) are handled by the induction machinery. 



Case (vii). If P 
following Claim: 



O Q, then it suffices to prove the 



Claim 1. Let d £ R + , tr = s 1J *tZI^' ' s' be a transition 
of a given time-CTS and tr+ be the same transition apart 

that we replace tp with tp + a, i.e. tr+ = s+ — > s + . 
Then, the transition tr allows the action a at the time stamp 
r if and only tr+ allows a at the time stamp r + d. 

Proof, [of the Claim] Straightforward from the defini- 
tion of the delay function + (see Definition [8| since tp + d 
lifts every (atomic) constraint a < c x to a + d < c x , and 
c x < P to c x < /3 + d. This ends the proof of the Claim. □ 



Induction step: n > 0. 

That is, we consider fR„ defined above by : 

SHn ={ (ft Qr) S.t. 3(V n ~\ Qr 1 ) G 5Hn-l S.t 

p n-l v and 

qti-1 E ^ > X £ or some ac tion a} U 
{{T',Q') s.t. 3d G R s.t. P^P' 



and Q T -iQ'} 



We recall that the induction hypothesis implies that SH n -i 
satisfies the invariants ( |SYNCH1[) and ( |SYNCH2| ), and that 
JH n satisfies the invariant ISYNCH2I. As we have done in 



the initial step, in this step we shall prove that (i) 9^ n = 0, 
(ii) m n satisfies the invariants flSYNCHl|) and ( |SYNCH2 1 
and (Hi) SH n +i satisfies the invariant ( |SYNCH2[ |. As a con- 
sequence of the induction hypothesis $H n may be written as: 



% n ={{{ E [P],v) , Er [ft) s.t. a^"- 1 ^^- 1 ) 



e 9^ n _i s.t. 



rpn— 1 E^-x 
Qr ~> 



s[P] and 

b t [P] for some action a } U 



{(P',Q') s.t. 3d G R s.t. ( B [P],!/} 
and Ex [P] Q' } 



P' 



where the pair (ft ft) is synchronized. Again, the proof is 
by structural induction on P and similar to the one given in 
the initial step. 



Case (i). The case P = stop is obvious because the pair 
(ft ft) is synchronized. 

Case (ii). P = skip{ u }. The rule (1.6) of the denotational 
semantics ensures that Vd < d < u and counting form the 
moment when all the actions of E have finished (see the 
definition of J 7 - (.)), there is a derivation 

(b [skip{ u}],v) — > ( E [skip{ u }], v + d) 

In the same way, the rule (I.r) of the operational semantics 
allows, for each d G]0, it], such that all the actions of ft have 
finished, the derivation 



skip{ u }] ■ 



skip{ u — d }] 



Since the pair (E,E T ) is synchronized thus fR n = 0, there- 
fore y\ n U fR n is a r-bisimulation. Using the same arguments 
of the Case(ii) of the initial step one can we show easily 
that SH n satisfies the invaria nts (|SYNCH1| ), ( |SYNCH2[ ) and 
$R n +i satisfies the invariant | |SYNCH2[ ). 



Case (Hi). The case P = a{u};Q is similar to the pre- 
vious one apart that we deal here with the action a instead 
of 5, and with the process Q instead of the process stop. 

Case (iv). The case P = Q + R is straightforward by 
applying the induction hypothesis to Q and R. 

Case (v). P = Pi|[i] | ft. First we show that %„ = 0. The 
rule (IV. t) of the operational semantics implies that that if 



ft|[£]|ft]- EAPl]\[L][Pi\ 



then 



■[Pi 



d 

~^>E T 



[Pl\ 



i = 1,2. 



By applying the induction hypothesis to both Pi and P2 we 
get the possible derivations: 



( ST [ft],(D + d) 



i = 1,2 



Hence 



{e [ft I [L]\P 2 ], v) A ( B [ft I [L] |P 2 ], !/ + d) ) 



Since the pair (ft ft) is synchronized, then 5H„ = 0. Note 
that for the same reason, JR n satisfies trivially the invariants 
( |SYNCH1| | a nd (jSYNCH2| ). Let us show that 9ti satisfies 
the invariant ( SYNCH2 1. To this goal let a be an action, we 



consider the case when a ^ L U {5} and i = 1. The case 
when a^Lu{<5}, i = 2 and the case when a £ LU 8 are 
handled similarly. Let i = 1 and assume the derivation: 



{ 



:a:0}[Q'\] 



(5) 



The induction hypothesis shows that the following deriva- 
tion is possible: 



(b[Pi],v + d}^( { x , a } [Qi], v + d[c x h-» 0]) 



(6) 



and ensures that F( {:c:a . 0} [Qi]) = ¥( {x . a} [Q 1 ]) = Q 1 . There- 
fore by applying the rule (I. V.a) of the operational semantics 
and considering the derivation (JsJ) above we get the deriva- 
tion: 



E T [P[] |[£]| [ft] 



{ ,:a:0}[Ql] \\L]\ ft] 



Also by applying the rule (4. a) of the denotational semantics 
and considering the rule Q above we get the derivation: 

( [Pi | [L] \P 2 ], O + d) ^ < { x:a } [Qi] | [L] | [ft] , O + d[ C:c 0]) 
Thus 

•SRi = {«{*:«} [Qi] I [L] | [ft] , O + d[c x m. 0]) , 

{ *:a:0}[Ql] I W I [ft])} 

and it is easy to check that 91 1 satisfies the invariant ( |SYNCH2| . 

Case (vi). The cases of the hide operator (rules (V.a) and 
(V.b) ), of the interruption operator (rules (VI. a), (VI. b) and 
(VI. c) ), and the delay operator are handled by the induction 
machinery. 

This ends the proof of Theorem [I] □ 

Theorem 2. For every timed configuration ft Q of duration- 
CSPp, for every action a and for every duration-CSP process 
ft if V ~t Q then p(a, ft V) ~x p(a, E, Q). 



by using the definition ?? it follows that 

(p(a, E, P'[v/x}), p(a, E, Q'[w/y})) f G % 
where 

/ = Ari(V(7"-{*})) U/ _1 (^(Q') ~{x}) 

U {(v,w)} 

• H =TZ^> Z p{a, E, ft), then V ^ ft and [ft ^ 

7J. According to the hypothesis we have that Q - L - >• 
Q', and by taking 

x £ tp(V - { z }) U ip(Q') - { s }, it follows that 
p{a,E,Q) ^ rc» s p(a,ft<2') 

2. similar to 1. 

3. if p(a, ft V) p{a, ft ft), then V -A ft. According 

to the hypothesis there exists a derivation Q — — > Q' 
such that (P', Q') / G SHi for some /, therefore it follows 
that (p(a,E,P'),p(a,E,Q')) f G £fti. 



Proof. First we construct a binary relation linking the 
elements of p(a, ftp) and p(a,E, Q), and second we prove 
that it is a timed causal bisimulation. 
We let m = SRi U 5H 2 where 

<R 1 ={(p(a,E,V),p(a,E,Q)) f s.t (ft Q) f e %' } 

such that JH' is a timed causal bisimulation, such bisimula- 
tion does exist by the hypothesis of the Theorem. 

£H 2 = {(P »" P+,P » H Q+), s.t (P+K4 Q>/y])/' € 91} 
where 

vi{Hv + )-{x}) u.r 1 (^(Q + )-{ y }), 

u,^/(^(P + )-{x})u(^(Q + )-{y}), 

/' = L^{p)+-{m}) u / _1 (V>(Q + -{2/})). and 

Now we show that 91 is a timed causal bisimulation. 
Initial step 

That is, we verify that 5Hi is a timed causal bisimulation: 

1. If p(a,E,V) H then we distinguish two cases ac- 
cording to H: 

• U = p(a,E,V), therefore P ^ ft and a ^ 6. 
According to the hypothesis there exists a deriva- 
tion p(a, E, Q) F ^—> p(a, E, Q') such that 

(a) the definition of / ensures that for each u G 
ip(p(a,E T ,P)), if it $ E and f(u) G ip(p(a,E,Q)) 
then f(u) £ ft, 

(b) since there exist v,w £ £ such that 
(P>M Q'[u!/y])/" G 91' where 

/" = /Wtt>(7")-{*}) U f~ x {^{Q') -{y}) 
U{(v,w)} 



Induction step. In this step we consider the elements of 
9t 2 , these elements are of the form (P ^ x P + ,P > H Q+) / 
where (V + [v/x], Q + [w/y]) f > G 91 with 
/' = L lW vn- {x}) ur 1 (V(Q + ) - {2/}) U {(«,«)}: 

1.1. P P — ► ft we distinguish three cases according 
to H: 

• H = V' > P + , then P ft. By assuming 
that z £ i>{V' P+) U ft 1 (</>(Q+) U { y }) , and 
applying the rule R.l we obtain the derivation 

P >" Q + ^> P' > H Q + , and we have done. 

• U = V + [z/x], then V ^ P' and a = i By 
assuming that 2 g U / _1 (V>(Q + ) - {j/}), 
and applying the rule R.2 we obtain the derivation 

V ^> v Q + ^-4 Q + [z/y], and we have done. 

• H = V > a: V + ', then the rule R.3 implies that 

V + -^—f V + '; by applying the induction hypothe- 
sis there exists a derivation 
Q — > Q + . By assuming s £ ipiV) we get 

V -> v Q + E -^> V > M Q+'. 

1.2. v > x r + h, we distinguish two cases according 
to H: 

• H = V' > a: P + , the rule R.r.l implies that 

V ft with x G ip(V + ). The induction hypothe- 
sis ensures that (P+, Q+) G £R. Hence, j/ G ^(Q" 1 ")- 
By applying the rule R.r.l we get the derivation 

• K = V > a; P+', the rule R.r.2 implies that V 

P' and P+ ^> P+' with as $ ip(V + )- Hence 
J/ ^ V'(Q + )- By applying the rule R.r.2 we get 
the derivation: V >" Q+ -A P' > a Q+'. 

□ 



6. ON THE TIMED CAUSAL BISIMULATION 
OVER THE TIMED CONFIGURATIONS 

Definition 12. A r-bisimulation linking the timed causal 
configurations of C T is a binary relation SH that comes with 
an events' bijection and satisfying the following 

conditions: 

1.1. if Q T e ^ Q' T then there exists V T F ~»" V' T such that 

i. 2 : b : t G E T if and only if f(z) : b : t G F T , for 
some t G K + , and 

ii. {Q' T ,V' T ) f , <E m where 

/' ~ {fniW>(Q' T )-x))n 2 (i,(V' T )-y) ll{(x,y)}. 

1.2. if Q T 4 Q; then P T -4 and (Q' T ,V' T ) f G «K. 



2.1. if Pt ~> P T then there exists Q T -v+ Q T such that 

i. 2 : b : t G i5 T if and only if f(z) : b : t G F T , for 
some t G K + , and 

ii. (O;,^)/' G 9\ where 

/' := (fir 1 (4,(Q> T )-x))TT 2 {,p(V! r )-y) U{ (x, J/) }. 

2.2. ifVr & Vr then Q T -t Q' T and (Q' T ,T' T ) fl G SH. 



